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1. EXECUTIVE SUMMARY 


On 15 th July 2011, the Council of Luxembourg Government ap- 
proved the creation of a new governmental entity known as 
Computer Emergency Response Team of the Government of 
Luxembourg (hereafter GOVCERT.LU). GOVCERT.LU is respon- 
sible for handling cybersecurity incidents in Luxembourg’s 
public sector institutions and critical private sector infra- 
structures, which are monitored by the Haut-Commissariat a 
la Protection Nationale (hereafter HCPN). 

In its latest risk report for 2013 The World Economic Forum 
(WEF) has recognised cyber-attacks among the top global 
risks with the highest likelihood of occurrence. In fact, dur- 
ing the period 2012-2013 the Luxembourg's public sector 
has been affected by several incidents which have had lim- 
ited impact on information security. A number of threats 
were identified, which could have affected governmental 
infrastructures not only in Luxembourg but throughout the 
world. Among these incidents were “Red October”, "APTi” and 
“Mini Duke”. 

Incidents are handled by the security analysts at GOVCERT.LU 
and categorised into several types according to their severi- 
ty, attack type, complexity, impact and other relevant factors. 
Incident categorisation has enabled GOVCERT.LU to handle 
these issues in a more efficient manner, allowing them to 
keep a record of incident trends over time in order to refine 
the future protection strategy and measures. 

GOVCERT.LU activities and services actually go beyond pure 
incident handling. The management has defined a strategic 
plan of short and medium-term measures to increase the 


preparedness of GOVCERT.LU towards cybersecurity. Such 
measures are integrated in GOVCERT.LU’s agenda and will 
be fully deployed in the coming years and include proactive 
activities such as malware analysis, vulnerabilities manage- 
ment, development of security tools and training sessions 
to various stakeholders, playing an important role in making 
Luxembourg a “safer” place. 

GOVCERT.LU is not a stand-alone organisation. It sustains an 
important role at national and international levels, having 
active cooperation on a day-to-day basis with many institu- 
tions such as HCPN and Centre des Technologies de I’ Infor- 
mation de I’Etat (hereafter CTIE). It also strongly encourages 
collaboration with international agencies like European Net- 
work and Information Security Agency (hereafter ENISA) or 
other CERTs. 
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2. INTRODUCTION 


Computer Emergency Response Teams (CERTs), also known 
as Computer Security Incident Response Teams (hereafter 
CSIRTs) are the key organisational instruments for Critical 
Information Infrastructure Protection (hereafter CUP). Every 
country must have capabilities at hand to effectively and ef- 
ficiently respond to information security incidents. CERTs act 
as primary security service providers for governments and 
citizens, as well as educating and raising awareness (more 
details on CSIRT activities in section 2.1). 

This Computer Emergency Response Team of the Govern- 
ment of Luxembourg activity report (GOVCERT.LU) con- 
cludes/highlights: 

• The main activities carried out by GOVCERT.LU which 
revolve around the handling of information security 
incidents at government infrastructural level; 

• Key security trends and statistics of incidents handled dur- 
ing the period of April 2012 to September 2013; 

• National and international collaborations with other gov- 
ernmental institutions, European CERTs, and other cyber- 
security teams /forums. 

This report is organised into three chapters: 

Overview of GOVCERT.LU: Background information on GOV- 
CERT.LU, its vision, and overview of its organisational struc- 
ture and outlook of future steps. 


State of Security: This chapter presents details about key 
security trends, statistics from recorded incidents and the 
regulatory context applicable to the European Union and 
specifically to Luxembourg. 

Activity report: This section provides more insight into the 
activities of GOVCERT.LU beyond incident handling, such as 
malware analysis, development of security tools, national 
and international collaborations and key events organised. 

Explanations of jargon and technical terms can be found in a 
glossary (“Additional Information" section) at the end of this 
report. 

2.1 CSIRT main activities 

A CSIRT is a service responsible for receiving, reviewing and 
responding to computer security incidents. 

The size and structure of a CSIRT depends on the organisa- 
tion it serves. CSIRTs can support public institutions, a coun- 
try or even an entire region (e.g. the Japan Computer Emer- 
gency Response Team Coordination Center or the AusCERT 
for the Asia-Pacific area). A CSIRT can also be formed as an 
ad-hoc team, created to respond to a specific incident when 
the need arises. 

A CSIRT can carry out both reactive and proactive functions 
to protect the critical assets of an organisation. There is no 
standard set of functions a CSIRT provides. Whatever services 
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it chooses to deliver, the objective must be based on the busi- 
ness goals of the constituent. Protecting critical assets is the 
key to success of both the organisation and the CSIRT. 

CSIRTs help organisations to contain and to recover from 
computer security breaches and threats. This reactive func- 
tion is called incident handling. Usually, it includes three 
main functions: 

1. The incident reporting function enables a CSIRT to serve 
as a central point of contact for reporting local problems. 
All incident reports are collected in a single location where 
information can be reviewed. 

2. The incident analysis function is used to determine trends 
and patterns of intruder activity and recommend corre- 
sponding preventative strategies to the organisation. Inci- 
dent analysis also involves taking an in-depth look at an 
incident report or incident activity to determine the scope, 
priority and threat, along with researching possible re- 
sponse and mitigation strategies. 

3. The incident response function can take many forms. A 
CSIRT may send out recommendations for recovery, con- 
tainment or prevention to the organisation or perform 
those response steps itself. 

ACSIRT’s services may also include proactive functions. These 
types of services are related to security awareness training, 
intrusion detection, penetration testing, documentation or 
even software development. These proactive functions can 
help an organisation to not only prevent computer security 
incidents but also to reduce the time it takes to react to an 
incident. 


The reactivity constitutes a critical consideration in assem- 
bling, maintaining and deploying an effective CSIRT. A rapid, 
accurately targeted and effective response can minimize the 
overall damage caused by a specific incident. Another impor- 
tant consideration involves the ability of the CSIRT to support 
law enforcement bodies in tracking down the perpetrators of 
an incident in order to effectively prosecute them. 
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OVERVIEW OF GOVCERT.LU 


3. Background on GOVCERT.LU, vision and 
strategy 

GOVCERT.LU mainly focuses on the new challenges that 
information and communication technologies offer to- 
day as Luxembourg heads towards becoming a global ICT 
player. With the aim of strengthening its existing entities 
for fighting cyber-attacks, the Council of the Luxembourg 
government approved the creation of two new governmen- 
tal departments during a session held on 15 th July 2011 : the 
Luxembourgish Cyber Security Board and the governmental 
CERT (GOVCERT.LU). 

GOVCERT.LU acts at both national and international levels to 
protect the Grand Duchy of Luxembourg against major cyber 
threats, to provide an attractive, secure and reliable environ- 
ment for local businesses in Luxembourg, and to protect the 
privacy and fundamental rights of people in Luxembourg. 

To fulfil its missions, GOVCERT.LU is mandated to cover clas- 
sified and non-classified infrastructures, to react and to coor- 
dinate in the event of incidents, to prevent and detect major 

incidents and to improve coordination among governmental 
departments within the scope of incident handling and re- 
sponse. 

GOVCERT.LU supports its constituency with a set of reactive 
and proactive services in the field of information /IT security 
and is authorised to handle and to address all types of infor- 
mation security incidents, which occur or threaten to occur, in 
the networks, systems and services that fall into its mandate. 


Since GOVCERT.LU is still in its early years of operation, its ser- 
vices have been deployed gradually. At the moment GOVCERT. 
LU is significantly involved with incident handling, however 
its agenda includes services which will become more vibrant 
in the coming years. Some of these services including mal- 
ware analysis, development of security tools and provision of 
training sessions are detailed in this report. 




Message from GOVCERT.LU (Computer Emergency 
Response Team of the Government of Luxembourg) 

With an increasing dependency on information 
and communication technologies, the threats to which 
our citizens, businesses and critical infrastructures are 
exposed to are growing steadily. New technologies bring 
with them new opportunities, but also create many 
new risks. Cloud computing and mobile devices, coupled 
with new concepts like “bring your own device”, offer 
immense flexibility and have the potential to boost effi- 
ciency in many activities. 

However, continued investment in cybersecurity is 
needed to minimise risk and to keep pace with new and 
emerging threats. As these threats emerge, cyber-at- 
tacks become more frequent. This is partly due to the 
growing number of potential victims and the profits 
available to the cyber attackers. 
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1 SIM3: Security Incident Management Maturity 
Model - SIM 3 mkXV, Don Stikvoort: 
http: //www. terena. org/activities/tf-csirt/ 
publications/SlMg-viypdf 


Managing cyber incidents has become a necessity and 
has led to the creation of dedicated teams in order to 
achieve this task. Their aim is to rapidly restore the sta- 
tus quo and normal operational systems. Other activities 
include raising the awareness and understanding of cy- 
ber incidents. This allows for a better risk assessment to 
support and advise the government in making the right 
decisions in cyber-crime prevention and detection. 

In setting up the Governmental Computer Security 
Incidents Response Team, the Luxembourgish Govern- 
ment took an important decision in the fight against 
cyber-crime. » 

Patrick HOUTSCH - Managing Director GOVCERT.LU 

L J 


3.2 Overview of organisational structure and 
key members 

GOVCERT.LU is operated by the State Ministry under the aus- 
pices of, and with authority delegated by a decision of the 
Council of Government dated of 15 th J uly 2011. The GOVCERT.LU 
team is operated by dedicated IT security experts. 

Since most of the proactive activities of GOVCERT.LU for han- 
dling cybersecurity threats will be deployed in the next years 
and the number of incidents handled by GOVCERT.LU is in- 
creasing overtime additional IT security experts will be hired 
to support its activities. 
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3.3 Investing into organisational development 

GOVCERT.LU is a newly established governmental institution 
in Luxembourg. Since its inception it has invested in setting 
up and building internal working procedures and system ar- 
chitecture. At this stage, GOVCERT.LU has contributed to an 
important number of policy documents at different maturity 
levels related to various internal processes (e.g. information 
disclosure policy, incident categorisation, incident reporting 
guidelines for constituency, call handling, collaborations, 
etc.). 

From a system perspective, GOVCERT.LU has set up a fully fea- 
tured system architecture embedding a complete set of back 
office applications as well as more specific business applica- 
tions, such as a ticketing system and information centralisa- 
tion and correlation databases. In order to enable an efficient 
collaboration with its constituency, GOVCERT.LU has defined a 
sustainable procedure to manage constituent information. 

GOVCERT.LU follows an accepted Information Security Man- 
agement System (ISMS) based on ISO 27000 series and a qual- 
ity assurance approach since its establishment. 

Furthermore, GOVCERT.LU is following SIM3 (Security Incident 
Management Maturity Model) as perthe instructions of FIRST 
(Forum of Incident Response and Security Teams - further dis- 
cussed below). Based on the SIM3 model, GOVCERT.LU aims 
to give its security or incident response a specific level of ma- 
turity. This will be achieved by focusing on organisation, hu- 
man resources, processes and tools. Prevention, detection, and 
feedback as well as resolution is also included in this focus 1 . 
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THE STATE OF SECURITY 



2 Global Risks 2013, 8 th edition - World Economic 
Forum: http://www.weforum.org/reports/global- 
risks-20ig-eighth-edition 


.1 Cyber-attacks are one of the top five global 
risks for 2013 


Figure i:Technological risks 
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According to the latest annual report from the World Eco- 
nomic Forum (WEF) 2 , cyber-attacks are one of the top five 
global risks likely to impact the planet over the coming years. 

The international organisation (WEF or another - if another 
it needs to be stated which) interviewed more than 460 ex- 
perts from industry, government, academia and civil society 
to compile its global risks report. 

The report examined 50 global risks across five categories - 
economic, environmental, geopolitical, societal and techno- 
logical -to formulate its conclusions. It placed cyber-attacks 
4 th on a list of top five global risks in terms of likelihood (after 
‘severe income disparity’, ‘chronic fiscal imbalances’ and ‘ris- 
ing greenhouse emissions’). 
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Specific to technological risks, cyber-attacks represent the 
risk with the highest probability of occurrence and in com- 
bination with its high impact, it is considered as one of the 
top technological risks together with critical systems failure, 
massive incident of data fraud /theft and digital misinforma- 
tion. 

The following figure shows the top technological risks for 
2013 in terms of impact and likelihood of occurrence, based 
on the WEF report. 


Despite the fact that the information security industry has 
been fighting cyber-attacks for several years, it is only now 
that WEF highlights cyber-attacks as a major threat at a glob- 
al level. However, WEF recognises cyber-attacks as criminal or 
terrorist attacks that can be also state-sponsored or state-af- 
filiated and organisations either in the private or public sec- 
tor need to acquire a better understanding of the true levels 
of the associated risk. 
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3 Red October - Kaspersky Lab. 

http: //www. kaspersky. conn / about /ne ws /virus/2 013/ 
Kaspersky _Lab Jdentijies -Operation _Red _October _ 
an -Advanced _Cyber_Espionage _Campaign_ 

Ta rg eting_Diploma tic_a nd -Government- 
Institutions Worldwide 


4.2 Overview of key security incidents 

4.2.1 Malware at the heart of cyber-attacks 

Malware (short for malicious software) is software used or 
created by attackers to disrupt computer operations, steal 
sensitive information, or gain access to private computer sys- 
tems. It can appear in the form of code, scripts, active content, 
and other software. It is a general term used to refer to a va- 
riety of forms of hostile or intrusive software. 

The effects of malware have been such that it forced the 
adoption of protection measures by most personal users and 
companies. 

In spite of the various protection measures applied by gov- 
ernmental institutions, companies and individuals, nobody 
can guarantee that malware can be detected and effectively 
eliminated. In fact, today’s malware detection rate is below 
100%. Malware is always evolving and new threats appear on 
a daily basis across the globe challenging users of systems, 
antivirus companies and organisations fighting cybersecuri- 
ty threats. ForGOVCERT.LU, a quick response to an incident is 
of vital importance for the cybersecurity of its constituency. 
For that purpose, GOVCERT.LU is continuously trying to im- 
prove its operations in incident handling by developing secu- 
rity tools, analysing malware and creating user awareness on 
key security events. 

4.2.2 Advanced Persistent Threats 

“Advanced Persistent Threats” or APT are cyber-attacks which 
are concentrated against a single target or group of targets 
and last until access is gained tothe organisations IT environ- 


ment. APT attacks are intended to remain "under the radar” 
for as long as possible to retrieve information. APTs usually 
create a backdoor in a vulnerable computer system (e.g. via 
the use of phishing emails) to gain access to a whole infra- 
structure where it can create new backdoors and collect and 
communicate information outside the organisation. 

Through their intrusion detection activities, GOVCERT.LU is 
observing many attacks of this kind and believes that such 
attacks will become more frequent in the future. 

The Red October Case 

Red October (identified as "Rocra”) is a targeted attack cam- 
paign that has been going on for at least five years. It has 
infected hundreds of victims around the world in eight main 
categories: Government, Diplomatic/ Embassies, Research 
institutions, Trade and Commerce, Nuclear/ Energy Research, 
Oil and Gas companies, Aerospace and Military. It is quite 
possible that there are other targeted sectors which have yet 
to be discovered or that have been attacked in the past. In 
Lu xe m bo u rg, Red Octo be r h a s p r i m a r i ly affected govern men- 
tal institutions. 

This campaign primarily targets countries in Eastern Europe, 
former USSR Republics, and countries in Central Asia, al- 
though victims can be found everywhere, including Western 
Europe and North America. 

The main objective of the attackers is to gather sensitive doc- 
uments from the compromised organisations, which include 
geopolitical intelligence, credentials to access classified com- 
puter systems, and data from personal mobile devices and 
network equipment 3 . 
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4 APT 1 - Exposing One of China's Cyber Espionage 
Units - http://intelreport.mandiant.com 

5 Miniduke - Kaspersky Lab - http://www.kaspersky. 
com/a bout/news/vi rus/20ig/Kaspersky_Lab_ 

I den tifes_M i n iD u ke_a_Ne w_M a I icio us_Pro gram _ 
Design ed_for_Spying_on_M ultiple_Govern m en t_ 
Entities _and_lnstitutions_Across_the_World 

6 Oracle Security Alert for CVE-20U-0422: 
http://www.oracle.com/technetwork/topics/ 
security/alert-cve-20ig-0422-i8g684g.html 


In Luxembourg, Red October had a limited impact on gov- 
ernmental ICT systems. A detailed analysis of the affected 
system by GOVCERT.LU showed that the attack could not be 
considered as unusually severe. 

The APT1 Case 

It is believed that APTi is a single organisation of operators 
that has conducted a cyber-espionage campaign against a 
broad range of victims since at least 2006. APTi is alleged to 
be one of the most prolific cyber espionage groups in terms 
of the sheer quantity of information stolen. 

Information stolen by the group includes manufacturing pro- 
cedures, business plans, policy positions and analysis, emails 
of high-ranking employees, user credentials, and product 
development and use. However, there is no “direct evidence” 
about who ends up receiving that information, or how all 
that data is processed into a usable form 4 . 

The MiniDuke Case 

In February 2013, Kaspersky Lab’s team of experts published 
a new research report on a series of security incidents involv- 
ing the use of the then discovered PDF exploit in Adobe Read- 
er (CVE-2013-6040) and a new, highly customised malicious 
program known as MiniDuke. The MiniDuke backdoor was 
used to attack multiple government entities and institutions 
worldwide during February 2013. Kaspersky Lab, in partner- 
ship with the CrySys Lab, analysed the attacks in detail and 
published theirfindings. 

According to their findings, a number of high profile targets 
have already been compromised by the MiniDuke attacks, 


including government departments in Ukraine, Belgium, 
Portugal, Romania, Czech Republic and Ireland. In addition, a 
research institute, two think tanks, and a healthcare provider 
in the United States were also compromised, as was a prom- 
inent research foundation in Hungary 5 . 

GOVCERT.LU confirmed that there have been victims of such 
a cyber-attack among its constituency. A detailed analysis re- 
vealed that the incident was of limited impact and involved 
only a very small number of governmental workstations. In 
the end, no critical systems have been affected and appropri- 
ate safeguarding measures have been deployed. 

4 . 2.3 Oracle Java CVE-2013-0422 

On 11 th January 2013 a vulnerability notification was published 
by GOVCERT.LU to increase public awareness of a highly crit- 
ical vulnerability in Oracle Java (CVE-2013-0422) affecting the 
Java plugin for Internet Explorer web browser. At the time of 
notification an update that could fix this issue was not yet 
available. 

This vulnerability might be remotely exploited without au- 
thentication (i.e. without the need for a username and pass- 
word). To be successfully exploited, an unsuspecting user 
running an affected release in a browser will need to visit a 
malicious web page that exploits these vulnerabilities. Suc- 
cessful exploits can impact the availability, integrity, and con- 
fidentiality of the user’s system 6 . 
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7 The Grand-Ducal decree of July 30th 2013: 

http://www.legilux.public.lu/leg/ci/ 
a rchives/2cn 3/0161/01161. pdf#page=2 

8 Trusted Introducer. 

http://www.trusted-introducer.org/ 

9 Support for CERTs /CSIRTs - ENISA. 

http://www.enisa.europa.eu/activities/cert/support 


4.3 The regulatory context 

4.3.1 A regulatory baseline 

The Grand-Ducal decree of July 30 th 2013 lays down the legal 
basis that determines GOVCERT.LU’s organisation and activ- 
ities. 

On 6 th September 2013 and after more than a year of oper- 
ational activities at GOVCERT.LU, this decree has been pub- 
lished in the Luxembourgish memorial with the aim to 
confirm the decision of the Council of Luxembourg Govern- 
ment and by doing so, giving a stronger legal baseline to the 
Luxembourgish Governmental CSIRT 7 . 

4.3.2 GOVCERT.LU has become an accredited member of 
Trusted Introducer 

On 8 th June 2012, GOVCERT.LU’s status was updated to an 
accredited member by Trusted Introducer (Tl). This is an 
important step for a CSIRT towards a successful integration 
into the European CSIRT community. 

The Trusted Introducer represents a backbone for the Securi- 
ty and Incident Response Team community in Europe. The Tl 
lists, accredits and certifies teams, and provides them with a 
well-balanced set of trusted security services 8 . 

4.3.3 Internal procedures in handling sensitive information 

GOVCERT.LU regards highly the importance of operational 

cooperation and information sharing between Computer 
Emergency Response Teams and other organisations which 
may contribute to or make use of its services. 


GOVCERT.LU will share information whenever this may assist 
the community in resolving or preventing security incidents 
whilst appropriate measures will betaken to protect the iden- 
tity of victims. Sensitive information remains protected in 
accordance with relevant regulations and policies within Lux- 
embourg. In particular, GOVCERT.LU strictly respects sensitivity 
labelling of information adopted by the referring entity. 

4.3.4 Guidelines to support the operation of European 
CERTs 

The successful creation and operation of CERTs/CSIRTs de- 
pends on a number of factors. A lot of mistakes can be made, 
especially in early phases that are difficult or impossible 
to mitigate later. For that purpose, ENISA provides a series 
of guidelines that aim at helping EU Member States, but 
also other stakeholders, to efficiently establish and operate 
CERTs/CSIRTs. The guidance provided by ENISA has been cre- 
ated in cooperation with experts in this field, who have many 
years of hands-on experience 9 . 

When GOVCERT.LU was established its management team 
followed the guidelines provided by ENISA which describe the 
processes of setting up a CSIRT (e.g. CSIRT strategy planning, 
business plan development, etc.). At the operational level, 
GOVCERT.LU also follows "running" guidelines on successful 
CSIRT operation, exercise and training material, baseline/ 
minimum capabilities of a CSIRT, incident management and 
other guidelines. 

4.3.5 Best practice guidelines established by FIRST 

FIRST is a global forum that brings together a variety of com- 
puter security incident response teams from government, 
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10 FIRST: http://www.first.org/ 

11 Proposal for a DIRECTIVE OF THE EUROPEAN 
PARLIAMENT AND OF THE COUNCIL concerning 
measures to ensure a high common level of network 
and information security across the Union - 
2013/002-7 (COD) - European Commission: 
http://eeas.europa.eu/policies/eu-cyber-security/ 


commercial, and educational organisations. It aims to foster 
cooperation and coordination in incident prevention, to stim- 
ulate rapid reaction to incidents, and promote information 
sharing among members and the community at large. 

Apart from the trust network that FIRST forms in the glob- 
al incident response community, FIRST also provides other 
services, such as access to an up-to-date best practice guide 
library. The intention is to assist FIRST team members and 
the public in configuring their systems securely by providing 
configuration templates and security guidelines. Such guide- 
lines are important as it is a complicated and time-consum- 
ing task even for experienced system administrators to know 
what a reasonable set of security settings is for any operating 
system. GOVCERT.LU follows these guidelines whenever pos- 
sible in order to ensure that strict IT security measures are 
applied 10 . 

4.3.C Network and Information security (NIS) measures 
across the EU 

The European Commission, together with the High Repre- 
sentative of the Union for Foreign Affairs and Security Policy, 
has published a proposed Directive on network and informa- 
tion security (NIS) which should be implemented byall Mem- 
ber States when it is adopted by the Council and European 
Parliament. 

The aim of the proposed Directive is to ensure a high com- 
mon level of network and information security. This means 
improving the security of the Internet and the private net- 
works and information systems underpinning the func- 
tioning of European societies and economies. This will be 
achieved by requiring the Member States to increase their 


preparedness and improve their cooperation with each oth- 
er, and by requiring operators of critical infrastructures such 
as energy, transport and key providers of information socie- 
ty services (e-commerce platforms, social networks, etc.), as 
well as public administrations to adopt appropriate steps to 
manage security risks and report serious incidents to the rel- 
evant national authorities 11 . 

Among other requirements, this new proposal requires 
Member States to set up a minimum level of national capa- 
bilities by establishing competent authorities for NIS, setting 
up Computer Emergency Response Teams, and adopting na- 
tional NIS strategies and cooperation plans. 

With the creation of its governmental CERT, the Luxembour- 
gish Government has already taken an important stepto com- 
ply with what might very soon become a legal requirement. 

1 1 B BBHBB Wamm 


Message from SnT (Interdisciplinary Centre for 
Security, Reliability and Trust - University of 
Luxembourg) 

GOVCERT.LU is essential to Luxembourg’s econom- 
ic dynamics: Modern-day information and communi- 
cation technology’s impact on our lives, our work, and 
our leisure and consumer behaviour is increasing. Thus, 
ICT security, reliability and trust are highly important 
prerequisites for a sustainable development in this field. 
GOVCERT.LU ensures that Luxembourg is optimally po- 
sitioned and protected against cyber-attacks: It is an 
essential instrument in offering citizens and industry 
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4.5 Incidents handled by GOVCERT.LU 



GOVCERT.LU handled several hundred incidents for the peri- 
od of April 2012 to September 2013. These incidents include 
all the cases handled by GOVCERT.LU including incidents that 
were handled by its analysts but which impacted victims out- 
side its user group. It is important to note that these figures 
do not include events such as investigations or notifications. 


V 


4.4 Incidents handled by GOVCERT.LU are 
recorded and monitored 


GOVCERT.LU has set up an incident control process by which 
the first trends on information security can already be shown. 
A list of key statistics has been prepared and presented be- 
low, showing useful information based on the categorisation 


of incidents provided above. 

An information security incident is a single or a series of 


erations and threatening information security (ISO 27000 
series). Incidents are processed through a ticketing system 
by the responsible operator. A unique ticket “ID” number is 
assigned to every incident and its details and status are mon- 
itored even after the incident is completely resolved. 

GOVCERT.LU has categorised incidents using different vari- 
ables including attack complexity, attack type, victim sector, 
incident impact, incident category, and used vulnerabilities. 
Such detailed categorisation enables GOVCERT.LU to be more 
proactive and to identify future trends out of previous inci- 
dents and to also take accurate decisions on handling inci- 
dents. A more detailed description of incident categories can 
be found in the glossary. 


unwanted or unexpected information security events that However the trends are not necessarily sustainable because 
have a significant probability of compromising business op- the statistical robustness is only at a developing stage. 
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4.5.1 Exploited vulnerabilities 


4.5.2 Incident categories 


Figure 2: Used vulnerabilities 


Figure 3: Incident categories 



31% of the vulnerabilities used in incidents handled by 
GOVCERT.LU have been classified as "patching", meaning 
that those attacks would not have been successful on a fully 
patched system. Such incidents can be avoided by adopting 
an effective patching policy. 


35% of the vulnerabilities have been classified as “social en- 
gineering”. This in return shows how important it is to raise 
awareness and train people with regards to the social engi- 
neering aspect of cyber-attacks. 


Very few incidents are related to poor design unknown or 
zero day vulnerabilities. 



Very few incidents had an impact on information (e.g. docu- 
ments, databases, credentials) as only 5% of the handled cas- 
es have been related to compromised information category. 

On the other hand, it can be shown that many incidents were 
related to the use of malicious code (36%) as well as of phish- 
ing techniques (25%). In 24% of the cases an asset had been 
successfully compromised by the attacker. Finally, one may 
notice the very few cases of denial-of-service attacks. 
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4 . 5.3 Targeted attacks 


4 . 5.4 Victim sector 


Figure 4: Share of targeted /opportunistic attacks 


Figure 5: Victim sector 
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As this chart shows, most cyber-attacks are not specifically 
targeted against GOVCERT.LU’s constituency. In fact the large 
majority of handled incidents are related to opportunistic 

attacks (84%) whereas the targeted attacks account for only 
16% of the cases. 



1% 1% 


1% 


1% 


1% 


Most of the incidents handled by GOVCERT.LU have occurred 
in governmental institutions. This does not necessarily mean 
that incidents are rare in all other sectors, but so far only a 
few have been reported to GOVCERT.LU. 

In the future, GOVCERT.LU is planning to ensure more active 
collaborations with other organisations in order to better 
handle incidents in various other sectors. 
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4.5.5 Incident impact 


4.5.6 Days to resolve incidents since identification 


Figure 6: Real incident impact 


Figure 7: Days to resolve incidents since identification 
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The above figure shows the impact an incident has on 
GOVCERT.LU’s constituency only. It is essential to note that 
this figure does not account for the possible impact an inci- 
dent could have outside GOVCERT.LU’s scope. 

It is noted that the majority of the incidents handled by 
GOVCERT.LU are of limited impact to its constituency. 



This specific chart can be considered as a performance indi- 
cator for GOVCERT.LU on resolving incidents. 

The figure shows how many days it takes GOVCERT.LU secu- 
rity analysts to resolve an issue that has been identified and 
recorded. Most of the incidents (about 65% of the total inci- 
dent population) are resolved within 10 days following their 
notification to or detection by GOVCERT.LU. 
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4.5.7 Number of incidents per week 


Figure 8: Number of incidents per week 



The red trendline shows a slight increase of incidents han- 
dled overtime. This trend is likely to keep on growing in the 
coming years until GOVCERT.LU activities are fully deployed 
and its constituency awareness has been fully set up. 


4.6 New technologies and future challenges 

Innovation is the secret weapon that helps businesses keep 
pace with change. In order to adapt to change, businesses 
need to explore, implement and refine new technologies to 
continue growing and evolving, particularly as threats evolve 
and risks grow. But the few technologies that help propel a 
business forward are the same ones that create new risks. 
New technologies open up tremendous opportunities for 
organisations, but the information security function needs 
to pay particular attention to associated risks and manage 
them appropriately. 
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4.6.1 Cloud computing 


Cloud computing can enable many organisations to increase 
their IT use by becoming more strategy-focused and less op- 
erations-focused. Cloud-based services are nimble and adap- 
tive, increasing the capability to read and react to changing 
marketplace conditions by responding to customer needs 
and competitors’ actions. 

Although there is no doubt that cloud computing appears 
to be well on its way to mainstream adoption, concerns over 
security and privacy are being voiced. Effectiveness and ef- 
ficiency of traditional information security and protection 
mechanisms are indeed questioned as cloud computing 
brings a new working model along with its adoption. On the 
privacy side, there is the threat that personally identifiable 
information stored in the cloud can be breached more easily 
than if stored in-house. 

Cloud computing requires an entirely new security govern- 
ance model and process. Factors that could accelerate the 
resolution of security and privacy issues associated with 
cloud computing adoption are leading practices, standards 
and cloud-specific regulation of security / privacy, all of which 
are slowly emerging from several regions around the world 12 . 

4.6.1 Mobile technology 

Technology advancement and the associated business ben- 
efits have vastly increased adoption rates of mobile technol- 
ogy. Tablet computer usage in business activities has more 
than doubled since 2011. As the mobility of today’s workforce 
continues to grow, the phrase “out of the office” becomes less 
relevant and the dramatic increase in the flow of informa- 


18 



13 Critical infrastructure at risk from SCADA 
vulnerabilities: http://www.infosecurity-magazine. 
com/view/2gs44/critical-infrastructure-at-risk- 
from-scada-vulnerabilities-/ 

14 Denial-of-service attack: http://www.cert.org/ 
tech _ti ps/den ial_of_service. h tm I 


tion in and out of an organisation becomes more difficult to 
control. Organisations recognise the need to do more. They 
are beginning to educate themselves about the capabilities 
and design of the mobile device security software products 
that are available on the market. Nevertheless, the adoption 
of security techniques and software in the fast-moving mo- 
bile computing market is still low. Encryption techniques are 
used only by few organisations. That clearly shows that the 
number of incidents as a result of using mobile technology 
will increase overtime. 

4.6.1 SCADA (Supervisory Control and Data Acquisition) 

SCADA are control systems used to monitor and control in- 
dustrial and manufacturing processes. These systems are 
used by a broad range of industries. SCADA systems basically 
collect relevant information through various kinds of sensors, 
which is then used to analyse events and trigger actions if 
required. The complexity of such systems ranges from simple 
to extremely complex depending on the company size and its 
business requirements. 

SCADA software, used for industrial control mechanisms 
in utilities, airports, nuclear facilities and manufactur- 
ing plants is increasingly becoming a target for attackers 
looking to exploit what appear to be growing numbers of 
vulnerabilities - giving rise to fears that critical infrastruc- 
ture may be at risk. With SCADA software being primarily 
responsible for critical operations and national infrastruc- 
tures, an attack of this nature could not only result in the 
loss of data, but could also cause damage to physical assets 
and in some scenarios, the loss of life. 


For now, cyber-attacks on SCADA systems are rare when com- 
pared to the number of incidents involving web applications 
or corporate IT networks, but the threat they pose is extreme- 
ly severe. As such, security must be updated 13 . 

4.6.' Distributed Denial-of-service (DDoS) 

Distributed denial-of-service attack (DDoS attack) is a tech- 
nique where hundreds or thousands of computer systems 
simultaneously conduct repeated queries to a victim’s serv- 
ers. As a result the volume of network traffic generated by 
this kind of attack is such that the targeted systems become 
unavailable and legitimate business cannot be conducted 
anymore. Some companies whose servers have been brought 
down using these denial-of-service attacks have reportedly 
lost up to millions of Euros per day 14 . 

There are two common ways to perform DDoS attacks. On 
one hand, attackers can force the targeted system to con- 
sume its resources so that it can no longer provide its service. 
On the other hand, attackers can block the communication 
means between legitimate users and the target so that the 
latter can no longer communicate effectively. 

The DDoS phenomenon started in 2003 when a number of 
online companies, including an online betting site, were at- 
tacked. Since then, DDoS attacks have become increasingly 
com mon. Online services should evaluate the opportunity to 
adopt measures against such attacks. 
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ACTIVITY REPORT 



15 Cyber Europe 2012, key findings and 
recommendations, ENISA: http-J/www.enisa. 
europa.eu/activities/Resilience-and-CIIP/cyber-crisis- 
cooperation/cyber-europe/cyber-europe-20i2/cyber- 
europe-20u-key-findings-report 


5.1 Report on key events organised and 
supported 

Participation in Cyber Europe 2012 

On 4 th October 2012 more than 500 cybersecurity profession- 
als across Europe including GOVCERT.LU, HCPN and CIRCL 
(Computer Incident Response Center Luxembourg) partici- 
pated in Cyber Europe 2012, the second pan-European Cyber 
Exercise organised by the European Network and Informa- 
tion Security Agency (ENISA). 

Cyber Europe 2012 had three objectives: 

1. Test the effectiveness and scalability of mechanisms, pro- 
cedures and information flow for public authorities’ coop- 
eration in Europe; 

2. Explore the cooperation between public and private stake- 
holders in Europe; 

3. Identify gaps and challenges on how large-scale cyber inci- 
dents could be handled more effectively in Europe. 

The exercise scenario revolved around large-scale cyber in- 
cidents in Europe, which affected all participating countries. 
Fictional adversaries joined forces in a massive cyber-attack 
against Europe, mainly through (distributed) Denial-of-ser- 
vice (DoS) attacks against public electronic services. The 
affected services were online e-government and financial 
(e-banking, etc.) services. 


Cyber incidents challenged the public and private sector par- 
ticipants, triggering a need for cross-country cooperation. 
Players received information on the scenario (injects) via 
emails, and had to collaborate using standard procedures 
and structures in order to assess the situation and agree 
upon a course of action. 

Cyber Europe 2012 produced a series of key findings regard- 
ing cooperation on national and international levels. The cy- 
ber exercises are summarised below: 

• Playing countries took cybersecurity incidents very seri- 
ously, responding to the challenges by escalating issues to 
their national crisis response cells and/or activating na- 
tional crisis structures. 

• Cyber Europe 2012 helped to build trust between countries. 

Trust is the key for successful and timely mitigation activi- 
ties during real cyber-crises. The exercise has fostered both 
new and existing relationships. 

• Cyber Europe 2012 has proven extremely useful fortesting 
national contingency measures and levels of prepared- 
ness 15 . 
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5.2 Tools and Methods used by GOVCERT.LU to 
support incident handling 


The graph below shows the differences among the different 
types of sharing information used by GOVCERT.LU. 


5.2.1 Sharing of information 

In the world of CERTs, the exchange of information related to 
cyber incidents is of great importance. Indeed, incident man- 
agement is often based on information exchanged between 
CERTs at national and international level. Therefore it is es- 
sential to have the necessary exchange of information and 
also to implement procedures for creating effective collab- 
oration between contacts. The exchange of information re- 
lates to incident reports, malware analysis, IP addresses and 
malicious Internet sites and vulnerabilities and artefacts of 
any kind (e.g. viruses, trojans, etc.). 

GOVCERT.LU shares incident information with its constituen- 
cy and third parties at different levels. Technical data includ- 
ing indicators of compromise (IOC) (e.g. URLs, domain names, 
IPs, ASN, file hashes, Filenames, Network traffic signatures, 
etc.) as well as malware samples and vulnerability notifica- 
tions are shared on a regular basis. 

According to the importance of the incidents detected, In- 
formation Sharing Papers (ISP) can be issued in order to get 
more insight into specific incidents. ISPs typically contain a 
richer set of information such as malware reversing details. 

If any ofthese incidents are of significant importance, appro- 
priate protection and prevention measures should be set up. 
GOVCERT.LU will then issue a security bulletin including in- 
depth impact analysis, time line information, attack profile as 
well as recommendations. 


Figure 9: Information sharing funnel 



5.2.2 Malware analysis 

A “Lab” is operated by GOVCERT.LU security analysts where 
they can safely execute and inspect advanced malware. Ana- 
lysts use this secure environment to test, replay, characterise, 
and document advanced malicious activities. 

Malware examination can be achieved either through static 
or dynamic analysis. Static analysis involves investigation of 
malware in a safe environment and without real code execu- 
tion. However, in orderto better understand the behaviourof 
certain malware, dynamic analysis is required. Dynamic anal- 
ysis is a method used for determining malware’s execution 
behaviour by running and observing the malicious code in a 
protected environment. 
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5.2.3 Development of security tools 

Security analysts at GOVCERT.LU are involved in the develop- 
ment of security tools that further improve GOVCERT.LU effi- 
ciency in handling incidents. Such tools include passive DNS 
database, automated log parsing tools, artefact handling da- 
tabase, data visualisation systems, open source intelligence 
tracker, system cloning and forensics tool box. Whenever pos- 
sible, GOVCERT.LU tries to make these developments availa- 
ble to the community. 

5.2.4 Training sessions /workshops 

GOVCERT.LU will provide a series of training sessions or work- 
shops for public sector institutions and other non-govern- 
mental infrastructures to help them handle incidents and 
improve future collaborations. 

Through these training sessions, GOVCERT.LU will inform 
various stakeholders about available services, provides sta- 
tistics regarding cyber-crime and incidents reported in the 
European Union, explains the collaboration of GOVCERT.LU 
with other institutions in fighting cyber-crime and provides 
typical examples of different type of incidents (e.g. malicious 
code, phishing, compromised asset, etc.). 

Furthermore, GOVCERT.LU will provide information about the 
different ways that are available for system users to report 
incidents and how certain organisations can register with 
GOVCERT.LU to enable better performance in handling inci- 
dents. 


5.2.5 Quality control 

GOVCERT.LU gives high importance on the quality of services 
provided. Besides the internal monitoring of the quality and 
performance on incident handling by the security analysts, 
GOVCERT.LU undertakes customer satisfaction surveys on a 
regular basis. 

GOVCERT.LU requests and receives feedback from selected 
incident victims in order to further improve its services for 
the future. 


5.3 National and international collaborations 

GOVCERT.LU strongly collaborates with other governmental in- 
stitutions with the objective toenhance IT and network security 
in Luxembourg’s public sector and critical infrastructures. 

5.3.1 Haut-Commissariat a la Protection Nationale 

HCPN is responsible for managing crisis situations in Lux- 
embourg and protecting the citizens of Luxembourg from 
threats that could potentially lead to a crisis. Cyber-crime is 
currently one of HCPN’s hot topics and it works together with 
GOVCERT.LU in developing a national cybersecurity plan. 

A strong relationship exists between HCPN and GOVCERT.LU 
at various levels. These include the reporting of high risk inci- 
dents that are further assessed by HCPN as well asthe defini- 
tion and protection of critical infrastructures in Luxembourg. 

Critical infrastructure corresponds to all facilities, networks, 
services, systems or even sectors of vital importance for 
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which the destruction, damage, interruption of function or 
disclosure would threaten national security, national econ- 
omy, public health, and safety of the population or govern- 
mental operations. 

According to a new national law (currently at draft stage) 
based on the European Directive 2008/114/EC, critical in- 
frastructures operating within the borders of Luxembourg 
should be identified and protected. In this context, the own- 
ers and operators of critical infrastructures may be invited to 
take the necessary measures to improve resilience and facil- 
itate crisis management. The proposed scheme introduces 
additional administrative sanctions in case of non-compli- 
ance with the new law and adapts several other legal texts. 

M HUB B , 


Message from HCPN (Haut-Commissariat a la 
Protection Nationale) 

Since its beginning, GOVCERT.LU has already had 
considerable impact on several levels in the cyber land- 
scape in Luxembourg and beyond. While building up 
the capacities on the classical CERT day-to-day business, 
it has established itself as a prime contact for policy 
makers and has an important role to play in national 

CIIP ff 

Paul RHEIN - Conseiller-lnformaticien f re classe 
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5.3.2 Cyber Security Board 

As a member of the Cyber Security Board (CSB), GOVCERT. 
LU contributes to the creation and maintenance of Lux- 


embourg’s national cybersecurity strategy. Furthermore 
GOVCERT.LU supports the CSB with its consultancy and ex- 
pertise services. Drafting technical expertise documents or 
chairing working groups of the CSB are two examples on 
how GOVCERT.LU supports the national Cyber Security Board. 

5.3.3 Centre des Technologies de (’Information de I’Etat 

CTIE has been established in 2009 by the Luxembourg Gov- 
ernment to better meet the challenges of the information so- 
ciety and support the generalisation of electronic exchanges 
within the public sector. 

The Security and Audit Division (DSA) of CTIE is a strategic 
partner for GOVCERT.LU. DSA provides to the security ana- 
lysts of GOVCERT.LU the necessary technical information and 
data that enable GOVCERT.LU to detect many cyber incidents 
in near real time without user intervention. 

•• m BXf T flMB B B ! ^ B flB ’ \ 


Message from CTIE (Centre des Technologies de 
(’Information de I’Etat) 

CTIE and GOVERT.LU collaborate on a daily basis 
regarding incident handling. The security analysts of 
GOVCERT.LU have the right technical skills to detect and 
resolve cybersecurity threats affecting governmental 
institutions. It’s a highly motivated team of young pro- 
fessionals and we are benefiting from their reliability. 
We are looking forward to intensifying our collaboration 



Manuel PICCO - Charge d’etudes-informaticien principal 
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16 Trans-European Research and Education 
Networking Association (TERENA) -TF-CSIRT: 

http://www.terena.org/activities/tf-csirt/ 


5.3. TF-CSIRT 

GOVCERT.LU has been a member of the Task Force for Com- 
puter Security Incident Response Teams (TF-CSIRT) since its 
inception. A presentation ofGOVCERT.LU was held at the task 
force meeting on 22 nd September 2011. TF-CSIRT promotes col- 
laboration and coordination between CSIRTs in Europe and 
neighbouring regions, while liaising with relevant organisa- 
tions at a global level and in other regions. 

TF-CSIRT provides a forum where members of the CSIRT com- 
munity can exchange experiences and knowledge in a trust- 
ed environment in order to improve cooperation and coordi- 
nation. It maintains a system for registering and accrediting 
CSIRTs, as well as certifying service standards. 

The task force also develops and provides services for CSIRTs, 
promotes the use of common standards and procedures for 
handling security incidents, and coordinates joint initiatives 
where appropriate. This includes the training of CSIRT staff 
and assisting in the establishment and development of new 
CSIRTs. 

The task force further liaises with FIRST, ENISA and other re- 
gional CSIRT organisations, as well as defence and law en- 
forcement agencies 16 . 

5.3.5 FIRST 

GOVCERT.LU is participating in events and meetings organ- 
ised by FIRST which is the premier organisation and rec- 
ognised global leader in incident response. It consists of a 
network of individual computer security incident response 
teams that work together voluntarily to deal with computer 


security problems and their prevention. These teams repre- 
sent governments, law enforcements, academia, the private 
sector, and other organisations as determined by the Steer- 
ing Committee. 
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6. GLOSSARY 


APTi: Advanced persistent threat i (name given to a cy- 
ber-crime organisation by security company Mandiant). 

CCG: Centre de Communications du Gouvernement (Luxem- 
bourg). 

CIRCL Computer Incident Response Center Luxembourg. 

CSIRT: Computer Security Incident Response Team. 

CUE: Centre des Technologies de I’lnformation de I’Etat. 

Cyber Security Board (CSB): The Cyber Security Board of Lux- 
embourg has the mission to develop and maintain a national 
strategic plan against cyber-attacks and ensure the proper 
execution of this plan. 

DDoS: Distributed Denial-of-service attack. 

ENISA: European Network and Information Security Agency. 

European Directive (2008/114/EC): Council Directive 

2008/114/EC of 8 th December 2008 on the identification and 
designation of European critical infrastructures and the as- 
sessment of the need to improve their protection. 

FIRST: Forum of Incident Response and Security Teams. 

GOVCERT.LU: Computer Emergency Response Team of the 
Government of Luxembourg. 


HCPN: Haut-Commissariat a la Protection Nationale. 

ICT: Information and Communication Technology. 

Incident: A single or a series of unwanted information securi- 
ty events that have a significant probability of compromising 

business operations or threatening information security. 

Incidents categories: 

• CAT 1 - Compromised information: Successful destruction, 
corruption, or disclosure of sensitive corporate information 
or Intellectual Property. 

• CAT 2 - Compromised asset: Compromised host (root ac- 
count, Trojan, root kit), network device, application, user 
account. This includes malware-infected hosts where an 
attacker is actively controlling the host. 

• CAT 3 - Unauthorised access: In this category an individual 
(internal or external) gains logical or physical access with- 
out permission to a national or local network, system, ap- 
plication, data, or other resource. 

• CAT 4 - Malicious code: Malicious software (e.g. virus, 
worm, Trojan horse, or other code-based malicious entity) 
that infects an operating system or application. 

• CAT 5 - (Distributed) Denial-of-service: An attack that suc- 
cessfully prevents or impairs the normal authorised func- 
tionality of networks, systems or applications by exhaust- 
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ing resources. This activity includes being the victim or 
participating in the DoS. 

• CAT 6 - Theft or loss: Theft or loss of sensitive equipment 
(Laptop, hard disk, media etc.) belonging to the organisa- 
tion. 

• CAT 7 - Phishing: Use of fraudulent computer network 
technology to entice an organisation’s users to divulge 
important information, such as obtaining users’ bank ac- 
count details and credentials by deceptive emails or fraud- 
ulent web site. 

• CAT 8 - Unlawful activity: Fraud /Human Safety/Child 
Porn. Computer- related incidents of a criminal nature, 
likely to involve law enforcement, Global Investigations, or 
Loss Prevention. 

• CAT 9 - Scans/ Probes /Attempted access: This category 
includes any activity that seeks to access or identify an or- 
ganisation computer, open ports, protocols, service, or any 
combination for later exploit. This activity does not directly 
result in a compromise or denial-of-service. 

• CAT io - Policy violations: Deliberate violation of InfoSec 
policy, such as: 

• Inappropriate use of corporate asset such as computer, 
network, or application. 

• Unauthorised escalation of privileges or deliberate at- 
tempt to subvert access controls. 

ISMS: Information Security Management System. 


ISP: Information Sharing Papers. 

Malware: Software used or created by attackers to disrupt 

computer operation, steal sensitive information, or gain ac- 
cess to private computer systems. 

NIS: Network and Information Security. 

Incident impact 

• Critical: Incidents with a very high impact on the attacked 
organisation and where special and immediate response is 
required. Such incidents can lead to a potential crisis situ- 
ation in Luxembourg, high ranking governmental officials 
may be contacted for further action and the situation is 
continuously monitored by GOVCERT.LU and other related 
parties. 

• High: Incidents of high impact that require an immedi- 
ate treatment, however the probability of such incidents 
to affect national security and lead to a crisis situation is 
limited. 

• Low: Incidents of low or medium impact. These incidents 
are usually resolved by GOVCERT.LU without any addition- 
al support from other external parties. The majority of in- 
cidents fall into this category. 

• None: Incidents that have no real impact for the users 
of the affected systems. Such incidents are frequent and 
represent a high portion of the total incidents handled by 
GOVCERT.LU. 

SB: Security bulletin. 
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SCADA: Supervisory Control and Data Acquisition. 

TF-CSIRT:Task Force for Computer Security Incident Response 
Teams. 

Tl: Trusted introducer is the trusted backbone of the Securi- 
ty and Incident Response Team community in Europe. The Tl 
lists, accredits and certifies teams, and provides them with a 
well-balanced set of trusted security services. 

Traffic Light Protocol (TLP): It was created to encourage great- 
er sharing of sensitive information. It is a set of designations 
used to ensure that sensitive information is shared with the 
correct audience. 

Vulnerabilities: 

• Patching: This means that a patch for the used vulnerabil- 
ity was available. Therefore the incident could have been 
prevented if a patching policy was applied. 

• Zero day: A zero-day attack or threat is an attack that ex- 
ploits a previously unknown vulnerability in a computer 
application, meaning that the attack occurs on “day zero” 
of awareness of the vulnerability. This means that the 
developers have had zero days to address and patch the 
vulnerability. Zero-day exploits (actual software that uses 
a security hole to carry out an attack) are used or shared 
by attackers before the developer of the target software 
knows about the vulnerability. Incidents exploiting this 
type of vulnerabilities are difficult to prevent. 

• SociaLThis means that the attack used the nature of man- 
kind by manipulating people into performing actions in 


order to be effective. Social engineering, in the context of 
security, is the art of manipulating people into performing 
actions or divulging confidential information. This is a type 
of confidence trick for the purpose of information gather- 
ing, fraud, or computer system access. 

• Configuration: This vulnerability category refers mainly to 
a wide variety of server configuration problems that can 
plague the security of a web site. These include: 

• Server software flaws or miss-configurations that per- 
mit directory listing and directory traversal attacks. 

• Unnecessary default, backup, or sample files, including 
scripts, applications, configuration files, and web pages. 

• Improper file and directory permissions, etc. 

• Design flaw: Insufficient input data validation or weakly 
designed security concepts. Such flaws are usually identi- 
fied at a later stage during the operation of the specific 
software and can contribute to or cause a system failure or 
erroneous human decision. 

• User error: These vulnerabilities refer to incidents that in- 
volve usererrors.This includes loss of equipment or remov- 
able media and choosing weak passwords. 

• None: Through analysis it was not possible to determine 
which vulnerabilities were used. 

WEF: World Economic Forum. 
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